Human factor security: evaluating the cybersecurity capacity of the industrial workforce

As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment.,A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques.,Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce.,The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.,This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations.

[1]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[2]  Chelsa Russell Security Awareness - Implementing an Effective Strategy , 2002 .

[3]  Celeste Lyn Paul,et al.  A Taxonomy of Cyber Awareness Questions for the User-Centered Design of Cyber Situation Awareness , 2013, HCI.

[4]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[5]  Ahmed Serhrouchni,et al.  Analysis of cyber security for industrial control systems , 2015, 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC).

[6]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[7]  Cleotilde Gonzalez,et al.  Cognition and Technology , 2014, Cyber Defense and Situational Awareness.

[8]  Tyson Macaulay,et al.  Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS , 2011 .

[9]  Arash Habibi Lashkari,et al.  A new Evaluation Criteria for Effective Security Awareness in Computer Risk Management based on AHP , 2012 .

[10]  Helge Janicke,et al.  SCADA security in the light of Cyber-Warfare , 2012, Comput. Secur..

[11]  N. Pallone A view from the front line , 1995 .

[12]  Peng Liu,et al.  Experience-based cyber situation recognition using relaxable logic patterns , 2012, 2012 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support.

[13]  Weijun Zhong,et al.  Finding the Weakest Link in the Interdependent Security Chain Using the Analytic Hierarchy Process , 2015 .

[14]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.

[15]  M. Chi Two Approaches to the Study of Experts' Characteristics , 2006 .

[16]  Yong Wang,et al.  Overview of cyber-security of industrial control system , 2015, 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC).

[17]  Marcus A. Butavicius,et al.  Human Factors and Information Security: Individual, Culture and Security Environment , 2010 .

[18]  Leandros A. Maglaras,et al.  Human behaviour as an aspect of cybersecurity assurance , 2016, Secur. Commun. Networks.

[19]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[20]  David Hutchison,et al.  A survey of cyber security management in industrial control systems , 2015, Int. J. Crit. Infrastructure Prot..

[21]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.

[22]  F. Aloul The Need for Effective Information Security Awareness , 2011 .

[23]  Daniel R. Tesone,et al.  Achieving Cyber Defense Situational Awareness: A Cognitive Task Analysis of Information Assurance Analysts , 2005 .

[24]  Wayne G. Lutters,et al.  Developing expertise for network intrusion detection , 2009, Inf. Technol. People.

[25]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[26]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[27]  Cleotilde Gonzalez,et al.  Effects of cyber security knowledge on attack detection , 2015, Comput. Hum. Behav..

[28]  Ashutosh Tiwari,et al.  Human Capability Evaluation Approach for Cyber Security in Critical Industrial Infrastructure , 2016 .

[29]  Ping An Wang,et al.  Assessment of Cybersecurity Knowledge and Behavior: An Anti-phishing Scenario , 2013 .

[30]  Theodoros Nikolakopoulos Evaluating the Human Factor in Information Security , 2009 .

[31]  Advisor,et al.  Breaches on the Rise in Control Systems : A SANS Survey , 2015 .

[32]  Mathias Ekstedt,et al.  Issues of cyber security in SCADA-systems - On the importance of awareness , 2009 .

[33]  Alexander Kott,et al.  Cyber Defense and Situational Awareness , 2015, Advances in Information Security.

[34]  S. Manikandan,et al.  Measures of central tendency: The mean , 2011, Journal of pharmacology & pharmacotherapeutics.

[35]  Pascale Carayon,et al.  A Human Factors Vulnerability Evaluation Method for Computer and Information Security , 2003 .

[36]  Joint Task Force Transformation Initiative Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans , 2014 .

[37]  Kat Krol,et al.  Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours , 2016, SOUPS.

[38]  M. Adams,et al.  Cybersecurity Skills Training: An Attacker-Centric Gamified Approach , 2015 .

[39]  Shingo Abe,et al.  Security threats of Internet-reachable ICS , 2016, 2016 55th Annual Conference of the Society of Instrument and Control Engineers of Japan (SICE).

[40]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[41]  Wayne G. Lutters,et al.  I know my network: collaboration and expertise in intrusion detection , 2004, CSCW.

[42]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..